Check AWS IAM User last used and login date

check-aws-iam-account.ps1

#Requires -version 5.1

function Check-IAMUserLastUsed () {
    param
    (
        [Parameter(Mandatory = $true)]
        [string]$UserName,

        [Parameter(Mandatory = $false)]
        [int]$TargetDays = 180,

        [Parameter(Mandatory = $false)]
        [string]$AWS_Profile = "default",

        [Parameter(Mandatory = $false)]
        [string]$AWS_Region = "us-east-1"
    )
    $ErrorActionPreference = 'Stop'

    # Import modules
    Import-Module AWS.Tools.Common
    Import-Module AWS.Tools.IdentityManagement

    # Credential & Region
    Set-AWSCredential -ProfileName $AWS_Profile
    Set-DefaultAWSRegion -Region $AWS_Region

    # 
    $env:AWS_PROFILE       = $AWS_Profile
    $targetdate            = (get-date).AddDays(-${TargetDays})
    
    $ErrorActionPreference = 'SilentlyContinue'
    $IAMUser = Get-IAMUser -UserName $UserName -ErrorAction SilentlyContinue

    if (-not($IAMUser)) {
        "User - `'$UserName`' not found! Exiting....."
        Break
    }

    # Console Password
    $Console_Password_LastUsed = $IAMUser.PasswordLastUsed
    $Is_Console_NotUsed        = $targetdate -gt $Console_Password_LastUsed

    # AccessKeyId
    $Is_AccessKey_NotUsed = $false
    $AccessKeys = Get-IAMAccessKey -UserName $UserName -ErrorAction SilentlyContinue
    if (($AccessKeys | Measure-Object).count -gt 0) {
        $AccessKeys | % {
            $AccessKeyId = $PSItem.AccessKeyId
            $AccessKey_LastUsed = (Get-IAMAccessKeyLastUsed -AccessKeyId $AccessKeyId).AccessKeyLastUsed.LastUsedDate
            if ($targetdate -gt $AccessKey_LastUsed) {
                $Is_AccessKey_NotUsed = $true
            }
        }
    }

<#
    TODO: MFA support

    # MFA
    $Is_Mfa_NotUsed = $false
    $mfadevices = Get-IAMMFADevice -UserName $UserName -ErrorAction SilentlyContinue
    if (($mfadevices | Measure-Object).count -eq 0) {
        $Is_Mfa_NotUsed = $true
    }
#>

    $UserArn = $IAMUser.Arn
    "iamUserName: $UserName"
    "iamUserArn : $UserArn"
    if (($Is_Console_NotUsed) -or ($Is_AccessKey_NotUsed)) {

        $last_login_since = ((get-date) - $Console_Password_LastUsed).days
        if ($Console_Password_LastUsed.year -eq 1) {
            $last_login_since = -1
        }
        $last_login_display = "$last_login_since days ago"
        if ($last_login_since -eq -1) {
            "Web console: not used"
        } else {
            "Web console: last logged at $Console_Password_LastUsed ($last_login_display)"
        }
    
        $AccessKeys | % {
            $AccessKeyId = $PSItem.AccessKeyId
            $AccessKey_LastUsed = (Get-IAMAccessKeyLastUsed -AccessKeyId $AccessKeyId).AccessKeyLastUsed.LastUsedDate
            $last_used_since = ((get-date) - $AccessKey_LastUsed).days
            if ($AccessKey_LastUsed.year -eq 1) {
                $last_used_since = -1
            }
            $last_used_display = "$last_used_since days ago"
            if ($last_used_since -eq -1) {
                "AccessKeyId: $AccessKeyId not used"
            } else {
                "AccessKeyId: $AccessKeyId last used at $AccessKey_LastUsed ($last_used_display)"
            }
        }
    }
}

• Usage

PS> Check-IAMUserLastUsed -AWS_Profile myawsprofile -UserName abuser

iamUserName: abuser
iamUserArn : arn:aws:iam::911237081788:user/abuser
Web console: last logged at 05/06/2020 20:24:47 (579 days ago)
AccessKeyId: AKIAIBF7CYTFRIKILU3A last used at 12/24/2019 13:57:00 (748 days ago)